过掉某加固2023年9月的frida检测
本帖最后由 rhtnll 于 2024-7-30 07:19 编辑1.hook pthread_create
setImmediate(check_pthread_create);
function check_pthread_create() {
var pthread_create_addr = Module.findExportByName(null, 'pthread_create');
var pthread_create = new NativeFunction(pthread_create_addr, "int", ["pointer", "pointer", "pointer", "pointer"]);
Interceptor.replace(pthread_create_addr, new NativeCallback(function (parg0, parg1, parg2, parg3) {
var so_name = Process.findModuleByAddress(parg2).name;
var so_path = Process.findModuleByAddress(parg2).path;
var so_base = Module.getBaseAddress(so_name);
var offset = parg2 - so_base;
var PC = 0;
if ((so_name.indexOf("libjiagu") > -1)) {
console.log("======")
console.log("find thread func offset", so_name, offset.toString(16));
Thread.backtrace(this.context, Backtracer.ACCURATE).map(addr_in_so);
var check_list = []//1769036,1771844
if (check_list.indexOf(offset)!==-1) {
console.log("check bypass")
} else {
PC = pthread_create(parg0, parg1, parg2, parg3);
}
} else {
PC = pthread_create(parg0, parg1, parg2, parg3);
}
return PC;
}, "int", ["pointer", "pointer", "pointer", "pointer"]))
}
function addr_in_so(addr){
var process_Obj_Module_Arr = Process.enumerateModules();
for(var i = 0; i < process_Obj_Module_Arr.length; i++) {
if(addr>process_Obj_Module_Arr.base && addr<process_Obj_Module_Arr.base.add(process_Obj_Module_Arr.size)){
console.log(addr.toString(16),"is in",process_Obj_Module_Arr.name,"offset: 0x"+(addr-process_Obj_Module_Arr.base).toString(16));
}
}
}
输出日志如下
Spawned `com.oacia.apk_protect`. Resuming main thread!
-> ======
find thread func offset libjiagu_64.so 1ac1f0
7e210e71bc is in libjiagu_64.so offset: 0x1ac1bc
7e210e71bc is in libjiagu_64.so offset: 0x1ac1bc
======
find thread func offset libjiagu_64.so 1b0944
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1ae778
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1afe2c
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1afe4c
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1b29b8
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1b26b4
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1a6d4c
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1b26b4
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1a6d4c
======
find thread func offset libjiagu_64.so 1b26b4
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1a6d4c
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1a6d4c
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1a6d4c
======
find thread func offset libjiagu_64.so 1a6d4c
find thread func offset libjiagu_64.so 1a6d4c
7e210e2ad4 is in libjiagu_64.so offset: 0x1a7ad4
7e210e2ad4 is in libjiagu_64.so offset: 0x1a7ad4
7e210e2ad4 is in libjiagu_64.so offset: 0x1a7ad4
======
======
find thread func offset libjiagu_64.so 128db8
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
======
find thread func offset libjiagu_64.so 128db8
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 128db8
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
Process terminated
我们发现 pthread_create 的调用都指向了同一个地址 0x17710
拜读大佬文章后(https://bbs.kanxue.com/thread-280609.htm)已经知道这里是用libffi动态调用函数了,那么可以直接hook寄存器x6过掉检测
function isValidPointer(curPtr){
let MinValidPointer = 0x10000
var isValid = curPtr > MinValidPointer
return isValid
}
function my_hook_dlopen(soName='') {
Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"),
{
onEnter: function (args) {
var pathptr = args;
if (pathptr !== undefined && pathptr != null) {
var path = ptr(pathptr).readCString();
//console.log(path);
if (path.indexOf(soName) >= 0) {
this.is_can_hook = true;
}
}
},
onLeave: function (retval) {
if (this.is_can_hook) {
anti_frida_check();
}
}
}
);
}
function anti_frida_check(){
var module = Process.findModuleByName("libjiagu_64.so");
Interceptor.attach(module.base.add(0x1770c), {
onEnter: function (args) {
try{
if (isValidPointer(this.context.x6) && isValidPointer(this.context.x0)) {
var s = this.context.x6.readCString();
if (s.indexOf("tmp") !== -1 ||
s.indexOf("frida") !== -1 ||
s.indexOf("gum-js-loop") !== -1 ||
s.indexOf("gmain") !== -1 ||
s.indexOf("gdbus") !== -1 ||
s.indexOf("pool-frida") !== -1||
s.indexOf("linjector")!==-1 ||
s.indexOf("/proc/")!==-1){
//console.log(s)
Memory.protect(this.context.x0, Process.pointerSize, "rwx");
var replace_str=""
for(var i=0;i<s.length;i++){
replace_str+="000"
}
this.context.x0.writeUtf8String(replace_str);
}
}
}
catch (e){
}
},
onLeave: function (ret) {
}
});
}
setImmediate(my_hook_dlopen,'libjiagu');
至此就过掉了frida检测,又可以愉快地hook了
->
-> Java
{
"ACC_ABSTRACT": 1024,
"ACC_BRIDGE": 64,
"ACC_FINAL": 16,
"ACC_NATIVE": 256,
"ACC_PRIVATE": 2,
"ACC_PROTECTED": 4,
"ACC_PUBLIC": 1,
"ACC_STATIC": 8,
"ACC_STRICT": 2048,
"ACC_SYNCHRONIZED": 32,
"ACC_SYNTHETIC": 4096,
"ACC_VARARGS": 128,
"_apiError": null,
"_cachedIsAppProcess": null,
"_initialized": true,
"_pendingMainOps": [],
"_pendingVmOps": [],
"_pollListener": null,
"_wakeupHandler": null,
"api": {
"$delete": "0x7752a54f4c",
"$new": "0x7752a54e78",
"JNI_GetCreatedJavaVMs": "0x76b8e5fd24",
"addLocalReference": null,
"art::ClassLinker::VisitClassLoaders": "0x76b8c9f348",
"art::ClassLinker::VisitClasses": "0x76b8c9f3d0",
"art::Dbg::SetJdwpAllowed": "0x76b8cefc10",
"art::Instrumentation::Deoptimize": "0x76b8dd7b30",
"art::Instrumentation::DeoptimizeEverything": "0x76b8dd8630",
"art::JavaVMExt::AddGlobalRef": "0x76b8e5b408",
"art::Monitor::TranslateLocation": "0x76b8f5c0fc",
"art::ReaderWriterMutex::ExclusiveLock": "0x76b8c81a00",
"art::ReaderWriterMutex::ExclusiveUnlock": "0x76b8c81d24",
"art::Runtime::DeoptimizeBootImage": "0x76b902e020",
"art::StackVisitor::GetMethod": "0x76b9046f6c",
"art::StackVisitor::StackVisitor": "0x76b9048238",
"art::StackVisitor::WalkStack": "0x76b9045a58",
"art::Thread::CurrentFromGdb": "0x76b90738e8",
"art::Thread::DecodeJObject": "0x76b906dc90",
"art::Thread::GetLongJumpContext": "0x76b9074088",
"art::ThreadList::ResumeAll": "0x76b90815e4",
"art::ThreadList::SuspendAll": "0x76b9080de8",
"art::interpreter::GetNterpEntryPoint": "0x76b91371c8",
"art::jni::JniIdManager::DecodeMethodId": "0x76b8e63bb4",
"art::mirror::Class::GetDescriptor": "0x76b8f31a74",
"artClassLinker": {
"address": "0xb4000076bc49ac00",
"quickGenericJniTrampoline": "0x6f63f030",
"quickImtConflictTrampoline": "0x6f63f040",
"quickResolutionTrampoline": "0x6f63f050",
"quickToInterpreterBridgeTrampoline": "0x6f63f060"
},
"artHeap": "0xb4000076bc429700",
"artInstrumentation": "0xb4000076bc4d2f20",
"artNterpEntryPoint": "0x76b8c00090",
"artQuickGenericJniTrampoline": "0x76b8c1a2c0",
"artQuickResolutionTrampoline": "0x76b8c1a180",
"artQuickToInterpreterBridge": "0x76b8c1a430",
"artRuntime": "0xb4000076bc4d2c00",
"artThreadList": "0xb4000076bc438000",
"flavor": "art",
"kAccCompileDontBother": 33554432,
"module": {
"base": "0x76b8a00000",
"name": "libart.so",
"path": "/apex/com.android.art/lib64/libart.so",
"size": 10584064
},
"vm": "0xb4000076bc490380"
},
"classFactory": {
"_classHandles": {
"capacity": 10,
"items": {}
},
"_classes": {},
"_loader": null,
"_patchedMethods": {},
"_types": [
{},
{}
],
"cacheDir": "/data/local/tmp",
"codeCacheDir": "/data/local/tmp/dalvik-cache",
"tempFileNaming": {
"prefix": "frida",
"suffix": ""
}
},
"vm": {
"handle": "0xb4000076bc490380"
}
}
->
厉害了!感谢分享 标题说的是23.9月的,能否给个样本学习一下呢 学习一下 分析的比较透彻
本帖最后由 rhtnll 于 2024-7-15 18:09 编辑
debug_cat 发表于 2024-7-15 14:36
标题说的是23.9月的,能否给个样本学习一下呢
https://www.123pan.com/s/YLf1jv-mIZLd.html提取码:vhG3 rhtnll 发表于 2024-7-15 18:06
https://www.123pan.com/s/YLf1jv-mIZLd.html提取码:vhG3
我还是小白,看了好多课都说这个frida,它能干什么呢,请教下 rhtnll 发表于 2024-7-15 18:06
https://www.123pan.com/s/YLf1jv-mIZLd.html提取码:vhG3
谢谢啦!!!{:1_921:} 学习了学习了 Zshltd 发表于 2024-7-15 22:24
我还是小白,看了好多课都说这个frida,它能干什么呢,请教下
frida是hook框架
页:
[1]
2